Fixing and finding
Jump to remediation plan
CVE ID

CVE-2025-40602

Published 2025-12-18
Updated 5 months ago
Vendor/s
SonicWall
Product/s
SMA1000 appliance
Version/s
* > 12.4.3-03245
KEV Status
Active Exploitation
Listed in CISA's Known Exploited Vulnerabilities catalogue. Active exploitation observed in the wild.
CVSS Score (v3.1)
6.6
/ 10
Medium
Severity Details
Base score
6.6 Medium
Attack vector
Network
Attack complexity
High
Privileges required
High
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Description

CVE-2025-40602 is a privilege escalation vulnerability in SonicWall SMA1000 appliances. Active exploitation reported; update firmware immediately.

CPE

SonicWall logo
SonicWall
Product Version Start Version End (excl.) Status
sma6200_firmware * 12.4.3-03245 vulnerable
sma6200_firmware 12.5.0 12.5.0-02283 vulnerable
sma6200 - - unaffected
sma6210_firmware * 12.4.3-03245 vulnerable
sma6210_firmware 12.5.0 12.5.0-02283 vulnerable
sma6210 - - unaffected
sma7200_firmware * 12.4.3-03245 vulnerable
sma7200_firmware 12.5.0 12.5.0-02283 vulnerable
sma7200 - - unaffected
sma7210_firmware * 12.4.3-03245 vulnerable
sma7210_firmware 12.5.0 12.5.0-02283 vulnerable
sma7210 - - unaffected
sma8200v * 12.4.3-03245 vulnerable
sma8200v 12.5.0 12.5.0-02283 vulnerable

Related weakness (CWE)

CWE-250, CWE-862

Remediation plan

1

Apply official patches

Immediately download and install the security patches provided by SonicWall for the SMA1000 series as detailed in security advisory SNWLID-2025-0019.

2

Update affected systems

Ensure all SMA6200, SMA6210, SMA7200, SMA7210, and SMA8200v appliances are running firmware versions 12.4.3-03245 or 12.5.0-02283 or later.

3

Restrict access

Isolate the Appliance Management Console (AMC) from the public internet and restrict access to authorized administrative subnets using strict firewall rules and ACLs.

4

Monitor for exploitation

Review appliance audit logs for unauthorized configuration changes, unexpected privilege elevation events, or administrative sessions originating from unfamiliar internal IP addresses.

Detection Guidance

Detecting exploitation of CVE-2025-40602 requires monitoring SonicWall AMC logs for unusual administrative behavior. Watch for log entries indicating failed authorization attempts followed by successful high-privilege actions. Security teams should also inspect system logs for any unauthorized shell access or modifications to system-level configuration files. Since this involves privilege escalation, focus on identifying accounts that suddenly exhibit root-level capabilities or perform sensitive operations outside of scheduled maintenance windows.

References

https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2025-0019 Vendor Advisory https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-40602 US Government Resource

Sources

NIST National Vulnerability Database (NVD)
CISA Known Exploited Vulnerabilities (KEV)

Experience superior visibility and a simpler approach to cyber risk management

Get a demo
Free trial